Full Disclosure mailing list archives
RE: Full-disclosure Digest, Vol 9, Issue 3
From: "Martinez, Tino (Tempe)" <Tino.Martinez2 () Honeywell com>
Date: Wed, 2 Nov 2005 07:20:08 -0700
Yes -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of full-disclosure-request () lists grok org uk Sent: Tuesday, November 01, 2005 10:42 PM To: full-disclosure () lists grok org uk Subject: Full-disclosure Digest, Vol 9, Issue 3 Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Snort Back Orifice Preprocessor Exploit (Win32 targets) (Kira) 2. Re: RFID docs & tools ? (Eric Auge) 3. Re: readdir_r considered harmful (Ben Hutchings) 4. RE: RE: Full-Disclosure Digest, Vol 8, Issue 48 (Martijn Lievaart) 5. Re: Re: [Full-disclosure] new IE bug (confirmed on ALL windows) (unknown unknown) 6. Re: Comparing Algorithms On The List OfHard-to-brut-force? (Andrew Farmer) 7. Re: Comparing Algorithms On The List OfHard-to-brut-force? (James Longstreet) 8. Gateway 7001 A/B/G AP: Selection of improper regulatory domains and channels (Andrew Lockhart) 9. Re: new IE bug (confirmed on ALL windows) (Greg) 10. Re: new IE bug (confirmed on ALL windows) (Greg) 11. Re: readdir_r considered harmful (Ben Hutchings) 12. Cisco Security Advisory: Cisco IPS MC Malformed Configuration Download Vulnerability (Cisco Systems Product Security Incident Response Team) 13. RE: new IE bug (confirmed on ALL windows) (ad () class101 org) 14. New Online RainbowCrack Engine (MR BABS) 15. MDKSA-2005:202 - Updated squirrelmail packages fix vulnerability (Mandriva Security Team) 16. MDKSA-2005:203 - Updated gda2.0 packages fix string format vulnerability (Mandriva Security Team) 17. MDKSA-2005:204 - Updated wget packages fix vulnerability (Mandriva Security Team) 18. Re: New Online RainbowCrack Engine (str0ke) 19. On Interpretation Conflict Vulnerabilities (Steven M. Christey) 20. Re: how to describe this tool ? (Native.Code) ---------------------------------------------------------------------- Message: 1 Date: Tue, 1 Nov 2005 17:32:04 +0700 From: Kira <trir00t () gmail com> Subject: [Full-disclosure] Snort Back Orifice Preprocessor Exploit (Win32 targets) To: bugtraq () securityfocus com, full-disclosure () lists grok org uk Message-ID: <ca67aa9e0511010232p5af56ddbja8fe6c02817fe2d3 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Dear All I wrote Snort Back Orifice Preprocessor Exploit for Win32 targets. It's for educational purpose only. This exploit was tested on - Snort 2.4.2 Binary + Windows XP Professional SP1 - Snort 2.4.2 Binary + Windows XP Professional SP2 - Snort 2.4.2 Binary + Windows Server 2003 SP1 - Snort 2.4.2 Binary + Windows Server 2000 SP0 - Snort 2.4.2 Bianry + Windows 2000 Professional SP0 Note 01: This exploit was written in form of MetaSploit module, so you need metasploit to launch it. Note 02: The exploit's quite reliable, but if it doesn't work on your machine, try to find address of 'jmp esp' instruction and replace it to the old return address. Regards, Kira -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/5314e92e/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: snort_bo_overflow_win32.pm Type: application/octet-stream Size: 3507 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/5314e92e/snort_bo_overflow_win32-0001.obj ------------------------------ Message: 2 Date: Tue, 01 Nov 2005 10:52:09 +0100 From: Eric Auge <eau () phear org> Subject: [Full-disclosure] Re: RFID docs & tools ? To: full-disclosure () lists grok org uk Cc: wifisec () securityfocus com, pen-test () securityfocus com Message-ID: <43673AC9.3040302 () phear org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed http://openmrtd.org/ Eric. Mark Sec wrote:
Alo folks, Well , does anyone know links to buy "lectors" RFID ? I would like to do a "PoCs" on Hacking RFID , also i need tools, pappers, PoCs & links related with this. thanks :-) - Mark _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ Message: 3 Date: Tue, 01 Nov 2005 13:02:45 +0000 From: Ben Hutchings <ben () decadentplace org uk> Subject: Re: [Full-disclosure] readdir_r considered harmful To: 3APA3A <3APA3A () SECURITY NNOV RU> Cc: full-disclosure () lists grok org uk, bugtraq () securityfocus com Message-ID: <1130850165.1980.7.camel@localhost> Content-Type: text/plain; charset="us-ascii" 3APA3A wrote:
Dear Ben Hutchings, If someone uses pathconf to determine buffer size it's his own problem and he creates vulnerability by himself. You can list such applications as vulnerable to race conditions.
<snip>
NAME_MAX is defined in limits.h and should be 255 according to latest POSIX extension. I see no problem with POSIX standard in this case. See: http://www.opengroup.org/onlinepubs/009695399/basedefs/limits.h.html
<snip> If you had read the above page more carefully, you would have seen these paragraphs: "The values in the following list may be constants within an implementation or may vary from one pathname to another. For example, file systems or directories may have different characteristics. "A definition of one of the values shall be omitted from the <limits.h> header on specific implementations where the corresponding value is equal to or greater than the stated minimum, but where the value can vary depending on the file to which it is applied. The actual value supported for a specific pathname shall be provided by the pathconf() function." -- Ben Hutchings When you say `I wrote a program that crashed Windows', people just stare ... and say `Hey, I got those with the system, *for free*'. - Linus Torvalds -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/cc6a76f7/attachment-0001.bin ------------------------------ Message: 4 Date: Tue, 1 Nov 2005 15:56:40 +0100 (CET) From: "Martijn Lievaart" <m () rtij nl> Subject: RE: [Full-disclosure] RE: Full-disclosure Digest, Vol 8, Issue 48 To: full-disclosure () lists grok org uk Message-ID: <40591.217.166.60.19.1130857000.squirrel () ma rtij nl> Content-Type: text/plain; charset=iso-8859-1 Nick FitzGerald zei:
Martijn Lievaart wrote:Hihi, clamav cought that... :-]Your point?
I thought this thread was about evading virusscanners. So modifying a batch virus and pasting it in the middle of an email does not fool at least one virusscanner, fwiw. One can argue it is a false positive though.
Once upon a time it "cought" the GPL as a virus too...
That is one virus I *want* to propagate. :-) M4 ------------------------------ Message: 5 Date: Tue, 1 Nov 2005 17:42:15 +0000 From: unknown unknown <unknown.pentester () gmail com> Subject: Re: Re: [Full-disclosure] new IE bug (confirmed on ALL windows) To: full-disclosure () lists grok org uk Message-ID: <b7a807650511010942jb84e1a5k507ae1a5bb391a52 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Mini version of IECrash confirmed IE 6.0 Windows XP Pro SP2 (English version) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/3c380980/attachment-0001.html ------------------------------ Message: 6 Date: Tue, 1 Nov 2005 10:55:31 -0800 From: Andrew Farmer <andfarm () gmail com> Subject: Re: [Full-disclosure] Comparing Algorithms On The List OfHard-to-brut-force? To: Brandon Enright <bmenrigh () ucsd edu> Cc: full-disclosure () lists grok org uk Message-ID: <D0941C4D-BE84-4156-8275-2C9C3FE090E0 () gmail com> Content-Type: text/plain; charset="us-ascii" On 01 Nov 05, at 10:11, Brandon Enright wrote:
Brute forcing an algorithm suggests that you are not attacking a weakness or known flaw in the algorithm but rather just running through the keyspace trying to recover the plaintext. In that case, whichever allows you to use the most bits is what you want.
Note that the encryption speed of an algorithm is *not* a significant factor in the time taken to brute-force it, except for extremely small keyspaces! Remember that the time taken to brute-force an N-bit algorithm that takes K seconds per encryption is, on average N K * 2 which increases much more rapidly with N than it does with K. Adding even one more bit will double the average time taken to brute-force an algorithm, while using a slower algorithm will only increase the difficulty marginally. Also note that anything beyond 256 bits is silly. Brute-forcing a 256- bit algorithm can be shown to be PHYSICALLY impossible, so there's no reason to go anywhere beyond that. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/d90d6a8d/PGP-0001.bin ------------------------------ Message: 7 Date: Tue, 1 Nov 2005 13:04:16 -0600 From: James Longstreet <jlongs2 () uic edu> Subject: Re: [Full-disclosure] Comparing Algorithms On The List OfHard-to-brut-force? To: full-disclosure () lists grok org uk Message-ID: <576B0A1B-3A88-4F1A-9705-A2D122F68FC0 () uic edu> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Nov 1, 2005, at 12:11 PM, Brandon Enright wrote:
IIRC, there aren't any good known attacks against Blowfish, AES, or Twofish so the *RIGHT* algorithm is whatever works best for your application.
Depending on the situation, there may be a feasible cache-timing attack on software implementations of AES: http://cr.yp.to/ antiforgery/cachetiming-20050414.pdf ------------------------------ Message: 8 Date: Tue, 01 Nov 2005 12:15:19 -0700 From: Andrew Lockhart <alockhart () networkchemistry com> Subject: [Full-disclosure] Gateway 7001 A/B/G AP: Selection of improper regulatory domains and channels To: <bugtraq () securityfocus com>, "full-disclosure () lists grok org uk" <full-disclosure () lists grok org uk> Message-ID: <BF8D0CD7.EB9%alockhart () networkchemistry com> Content-Type: text/plain; charset="US-ASCII" Issue: Gateway 7001 AP allows selection of restricted 802.11a/b/g channels Author: Network Chemistry Labs <labs at networkchemistry dot com> Vendor: Gateway Products: Gateway 7001 802.11 A/B/G Dual Band Wireless Access Point Type: Input Validation Exploit: Not required I. Intro The IEEE 802.11 family of standards define the channels that a device is allowed to operate on for specific geographic regions in order to comply with different country's radio frequency usage regulations. II. Vulnerability The web management interface for the Gateway 7001 A/B/G AP contains an input validation vulnerability that allows anyone authenticated with the device's built-in web server to configure the device to use channels not regulated for 802.11a/b/g use in their geographic region. The potential impact is that a user could configure the device to operate outside the allocated bandwidth for 802.11 within their country, thus causing interference to other radio systems. In addition, the device will not be visible to other 802.11 devices operating in the area. III. Details The IEEE 802.11 standards provide guidance on the channels that a device may operate on in order to comply with a country's radio frequency usage regulations. As is common on many access points, the Gateway 7001 A/B/G AP provides a web based interface for configuring the device. This can be used to set the channel that the AP operates on. The POST form in the web-management interface used to set the channel includes a form element called "RegulatoryDomain." Through experimentation it appears that this parameter affects input validation operations on the channel supplied in the request. For example, if the regulatory domain parameter is set to FCC, then the device's firmware will only change channels if the channel value in the request is from 1 to 11. Anything outside this range, such as channel 13 (a European channel), will be rejected. However, if the regulatory domain parameter is changed, then the firmware will allow the device's channel to be changed to any channel allowed in the specified domain. This can cause the device to create interference with non-802.11 devices in the vicinity as well as allow devices to be configured to elude 802.11 security walk-throughs by operating on frequencies that the detection equipment is incapable of monitoring. IV. Demonstration In addition to POST requests, the web interface will accept the same parameters in the form of a GET requeset. The web-based management software for the Gateway 7001 A/B/G AP uses a request string of the following form to set configuration parameters: http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=FCC&r1Ch annel=1&r2Mode=IEEE+802.11a&r2RegulatoryDomain=FCC&r2Channel=36&r1b1s1Ssid=N etChemLabs&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html&Update=Update To change the frequencies of operation available all that needs to be done is to simply change the RegulatoryDomain parameter. For instance to operate on Japanese channels, the string "FCC" would be changed to "MKK." This allows the channel parameters corresponding to the 802.11b/g and 802.11a radios to be changed to channels such as 14 and 34 respectively, which the management software will apply to the underlying hardware: http://192.168.2.1/index.cgi?r1Mode=IEEE+802.11g&r1RegulatoryDomain=MKK&r1Ch annel=14&r2Mode=IEEE+802.11a&r2RegulatoryDomain=MKK&r2Channel=34&r1b1s1Ssid= NetChemLabs+&r1b2s1Ssid=NetChemLabs-Guest&page=wireless.html&Update=Update It was also verified that European channels were settable when changing the RegulatoryDomain parameter to "ETSI." To verify that the device is indeed operating on non-FCC channels, special 802.11 sensor hardware was used to monitor the device on the specified channels. The Gateway 7001 A/B/G AP makes use of DeviceScape's Instant802 Wireless Infrastructure Platform for configuration and management. It is unknown at this time whether this issue affects other devices utilizing this software, due to the fact that we have only tested the Gateway 7001 A/B/G AP at this point. Gateway also produces an 802.11 b/g version of the Gateway 7001 AP. It is also unknown whether this model is affected. It should be noted that Gateway does not provide a firmware upgrade for the affected AP. V. Timeline 10/21 - Contacted Gateway: No response received 10/21 - Contacted DeviceScape: No response received 10/4 - Contacted Gateway: No response received 9/28 - Contacted DeviceScape to confirm they had observed the issue: No reponse received 9/26 - Contacted Gateway: No response received 9/21 - Made contact with Gateway Support: told someone would follow-up 9/20 - Received follow-up response from DeviceScape 9/19 - Made contact with DeviceScape VI. References Gateway 7001 A/B/G AP product support page: http://support.gateway.com/s/Servers/COMPO/NETWORK/7005082/7005082nv.shtml Instant802 WIP product page: http://www.devicescape.com/products/wip_landing.php -- Andrew Lockhart <alockhart () networkchemistry com> Security Analyst, Network Chemistry PGP Key ID: 58369156 Fingerprint: 0AE1 E826 1922 5453 2B34 E1AA F524 D20B 5836 9156 ------------------------------ Message: 9 Date: Wed, 2 Nov 2005 07:31:57 +1100 From: "Greg" <full-disclosure () pchandyman com au> Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows) To: <full-disclosure () lists grok org uk> Message-ID: <005601c5df23$4eaa9a20$5601010a@P4> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original ----- Original Message ----- From: <ad () class101 org> To: <full-disclosure () lists grok org uk> Sent: Wednesday, November 02, 2005 4:00 AM Subject: [Full-disclosure] new IE bug (confirmed on ALL windows)
I think I have found by chance this weekend a security bug,while browsing the website news, within iexplorer on all windows versions.
Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was networked through ICS (wired to this XP box then wi-fi to a router) and has no firewall of it's own. This XP box through which the 98SE box gets it's internet is in the router's DMZ and uses only Zone Alarm Pro, just for clarity. So, in essence the "confirmed on all windows" is wrong. Greg. ------------------------------ Message: 10 Date: Wed, 2 Nov 2005 07:42:02 +1100 From: "Greg" <full-disclosure () pchandyman com au> Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows) To: <full-disclosure () lists grok org uk> Message-ID: <006301c5df24$b6eba380$5601010a@P4> Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response ----- Original Message ----- From: "Greg" <full-disclosure () pchandyman com au> To: <full-disclosure () lists grok org uk> Sent: Wednesday, November 02, 2005 7:31 AM Subject: Re: [Full-disclosure] new IE bug (confirmed on ALL windows)
Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was networked through ICS (wired to this XP box then wi-fi to a router) and has no firewall of it's own. This XP box through which the 98SE box gets it's internet is in the router's DMZ and uses only Zone Alarm Pro, just for clarity. So, in essence the "confirmed on all windows" is wrong.
Sorry about the typo. Of course I meant IE6SP2 above where I typed IESP2. Lesson learned - don't go typing things like that after about 6 hours sleep in the last 48! Never work for yourself. The boss is a &*^%!! Greg. ------------------------------ Message: 11 Date: Tue, 01 Nov 2005 20:16:42 +0000 From: Ben Hutchings <ben () decadentplace org uk> Subject: [Full-disclosure] Re: readdir_r considered harmful To: bugtraq () securityfocus com, full-disclosure () lists grok org uk Message-ID: <1130876202.1994.60.camel@localhost> Content-Type: text/plain; charset="us-ascii" I wrote:
readdir_r considered harmful ============================
A second revision of this advisory (and any future revisions) can be found at <http://womble.decadentplace.org.uk/readdir_r-advisory.html>. I have updated the recommendations to cover HP-UX and Tru64 properly. Ben. -- Ben Hutchings When you say `I wrote a program that crashed Windows', people just stare ... and say `Hey, I got those with the system, *for free*'. - Linus Torvalds -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/cb7f26cf/attachment-0001.bin ------------------------------ Message: 12 Date: Tue, 01 Nov 2005 16:50:22 -0500 From: Cisco Systems Product Security Incident Response Team <psirt () cisco com> Subject: [Full-disclosure] Cisco Security Advisory: Cisco IPS MC Malformed Configuration Download Vulnerability To: full-disclosure () lists grok org uk Cc: psirt () cisco com Message-ID: <200511011650.ipsmc () psirt cisco com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: ======================== Cisco IPS MC Malformed Configuration Download Vulnerability =========================================================== Document ID: 68065 Revision 1.0 Last Updated For Public Release 2005 November 1 2000 UTC (GMT) - ----------------------------------------------------------------------- Contents ======== Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures - ----------------------------------------------------------------------- Summary ======= The CiscoWorks VPN/Security Management Solution (VMS) is a network management application that includes Web-based tools for configuring, monitoring, and troubleshooting VPNs, firewalls, network intrusion detection systems (NIDSs), network intrusion prevention systems (NIPSs) and host intrusion prevention systems (HIPSs). CiscoWorks VMS also includes network device inventory, change audit, and software distribution features. An issue exists in one of the components of the Cisco Management Center for IPS Sensors (IPS MC) v2.1 during the generation of the Cisco IOS IPS (Intrusion Prevention System) configuration file that may result in some signatures belonging to certain classes being disabled during the configuration deployment process. Cisco has made a free software patch available to address this vulnerability for affected customers. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml. Affected Products ================= Vulnerable Products +------------------ * Cisco IOS IPS devices that have been configured by IPS MC v2.1. Products Confirmed Not Vulnerable +-------------------------------- * Cisco IOS IPS devices that have NOT been configured by IPS MC v2.1. This category includes Cisco IOS IPS devices that have been configured by using any of the following methods: + Cisco IDS MC (Management Center for IDS Sensors) + Cisco SDM (Security Device Manager) + Cisco IOS CLI (Command Line Interface) * Any other Cisco IDS/IPS solution, configured by either Cisco IPS MC v2.1, Cisco IDS MC (any version), Cisco SDM (any version) or by using the Cisco IOS CLI. These include: + Cisco IOS IDS + Cisco PIX/ASA IDS + Cisco IPS 4200 Series Sensors + Cisco Catalyst 6500/7600 Series Intrusion Detection System (IDSM-2) Module + Cisco IDS Network Module (NM-CIDS-K9) + Cisco ASA Advanced Inspection and Prevention (AIP) Security Services Module No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Some Cisco routers running Cisco IOS include a feature called Cisco IOS IPS. The Cisco IOS IPS acts as an in-line intrusion protection sensor, watching packets and sessions as they flow through the router and scanning each packet to match any of the Cisco IOS IPS signatures that have been enabled on the device configuration. When it detects suspicious activity, it responds before network security can be compromised and logs the event through Cisco IOS syslog messages or Security Device Event Exchange (SDEE). The network administrator can configure Cisco IOS IPS to choose the appropriate response to various threats. Customers can use multiple methods, including Cisco IPS MC, Cisco IDS MC, Cisco SDM and the Cisco IOS CLI, to enable, disable and configure Cisco IOS IPS signatures. Some signatures dealing with TCP or UDP traffic analyze traffic destined to specific ports. Those ports are pre-configured with default values, and some signatures might allow changes to the list of ports to be monitored. If the Cisco IOS IPS devices have been configured by using the Cisco IPS MC v2.1, the Cisco IPS MC might download a configuration file to the device that does not contain a value for the port field in one or more signatures, resulting in the affected Cisco IOS IPS device disabling those signatures. Only signatures using either the STRING.TCP or STRING.UDP signature micro-engine (SME) are affected by this vulnerability. Additionally, this behavior only happens if those signatures were enabled and configured from the Cisco IPS MC GUI ; signatures belonging to the STRING.TCP or STRING.UDP SMEs that were previously configured on the device and imported into the Cisco IPS MC will not experience this issue. The list of signatures currently loaded into a Cisco IOS IPS device and their status can be obtained by executing the "show ip ips signatures" command. The following abbreviated output shows signatures currently loaded into the device, both enabled and disabled: Router#show ip ips signatures Builtin signatures are configured Signatures were last loaded from flash:128MB.sdf Cisco SDF release version 128MB.sdf v4 Trend SDF release version V0.0 *=Marked for Deletion Action=(A)larm,(D)rop,(R)eset Trait=AlarmTraits MH=MinHits AI=AlarmInterval CT=ChokeThreshold TI=ThrottleInterval AT=AlarmThrottle FA=FlipAddr WF=WantFrag Signature Micro-Engine: OTHER (4 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ------- 1201:0 Y A HIGH 0 0 0 30 15 FA N N 2.2.1.5 1202:0 Y A HIGH 0 0 0 100 15 FA N N 2.2.1.5 1203:0 Y A HIGH 0 0 0 30 15 FA N N 2.2.1.5 3050:0 Y A HIGH 0 0 0 0 15 FA N 1.0 Signature Micro-Engine: STRING.ICMP (1 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ------- 2156:0 Y A MED 0 0 0 0 15 FA N S54 Signature Micro-Engine: STRING.UDP (16 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ------- 4060:0 Y A MED 0 0 0 0 15 FA N S10 4060:1 Y A MED 0 0 0 0 15 FA N S173 4607:0 Y A HIGH 0 0 0 0 15 FA N S30 4607:1 Y A HIGH 0 0 0 0 15 FA N S30 4607:2 Y A HIGH 0 0 0 0 15 FA N S30 4607:3 Y A HIGH 0 0 0 0 15 FA N S30 4607:4 Y A HIGH 0 0 0 0 15 FA N S30 4608:0 N A HIGH 0 1 0 0 15 FA N S30 4608:1 Y A HIGH 0 1 0 0 15 FA N S30 4608:2 Y A HIGH 0 1 0 0 15 FA N S30 11000:0 N A LOW 0 0 0 0 15 FA N S37 11000:1 Y A LOW 0 0 0 0 15 FA N S37 11000:2 Y A LOW 0 0 0 0 15 FA N S136 11207:0 Y A INFO 0 0 0 0 15 FA N S139 11208:0 Y A INFO 0 0 0 0 15 FA N S139 11209:0 Y A INFO 0 0 0 0 15 FA N S139 Signature Micro-Engine: STRING.TCP (60 sigs) SigID:SubID On Action Sev Trait MH AI CT TI AT FA WF Version ----------- -- ------ ---- ----- ----- ----- ----- ----- -- -- -- ------- 3116:0 Y A HIGH 0 1 0 0 15 FA N S12 3117:0 N A LOW 0 1 0 0 15 FA N S13 3117:1 Y A LOW 0 1 0 0 15 FA N S13 3120:0 Y A LOW 0 1 0 0 15 FA N S13 3120:1 Y A LOW 0 1 0 0 15 FA N S13 3132:0 Y A HIGH 0 1 0 0 15 FA N S67 3132:1 Y A HIGH 0 1 0 0 15 FA N S67 3135:0 Y A HIGH 0 1 0 0 15 FA N S73 3137:1 Y A HIGH 0 1 0 0 15 FA N S83 3137:2 Y A HIGH 0 1 0 0 15 FA N S128 3141:0 Y A HIGH 0 1 0 0 15 FA N S94 3142:1 Y A HIGH 0 1 0 0 15 FA N S92 3152:0 Y A MED 0 1 0 0 15 FA N 2.1.1 3450:0 Y A LOW 0 1 0 0 15 FA N 1.0 5570:0 Y A R HIGH 0 1 0 0 15 FA N S185 5571:0 Y A R HIGH 0 1 0 0 15 FA N S185 9479:0 Y A HIGH 0 1 0 0 15 FA N S104 9480:0 Y A HIGH 0 1 0 0 15 FA N S104 9481:0 Y A HIGH 0 1 0 0 15 FA N S104 9482:0 Y A HIGH 0 1 0 0 15 FA N S104 9483:0 Y A HIGH 0 1 0 0 15 FA N S104 --More-- Any signature with a capital N under the 'On' column is DISABLED, while any signature with a capital Y under the same column is ENABLED. In this example, signatures 4608:0 and 11000:0 (belonging to the STRING.UDP SME), and signature 3117:0 (belonging to the STRING.TCP SME) are listed as disabled. For each signature listed as disabled in the output of the "show ip ips signatures" command, a corresponding "ip ips signature <SigID> <SubsigID> disable" command should be visible on the running configuration. This is an example of the "show running-configuration" command, using a filter to only display configuration lines belonging to signatures that have been disabled: Router#show running-config | include ip ips signature .* disable ip ips signature 11000 0 disable ip ips signature 4608 0 disable ip ips signature 3117 0 disable Router# This vulnerability is documented in the Cisco Bug Toolkit as Bug ID CSCsc33696. Impact ====== While this is not a vulnerability in the Cisco IOS IPS code itself, in the processing performed by Cisco IOS IPS on traffic traversing the device, or in the Cisco IPS MC v2.1, this vulnerability might result in an incomplete analysis of network traffic traversing the Cisco IOS IPS device, which could allow some attacks to go unnoticed. Software Versions and Fixes =========================== When considering software upgrades, please also consult http://www.cisco.com/en/US/products/products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") for assistance. Cisco has developed a software fix for this vulnerability. Once the fix is applied to a VMS server running IPS MC v2.1, the IPS MC will correctly populate the port field attached to a signature using either the STRING.TCP or STRING.UDP SME. Additional steps will be required to be performed. Please read the README file published together with the software fix. In order to obtain this software fix, customers should access the VMS Software download page for IDS MC and IPS MC, available at http://www.cisco.com/pcgi-bin/tablebuild.pl/mgmt-ctr-ids-app. The fix consists of the following three files: * idsmdc2.1.0-win-CSCsc336961.tar - this file contains the fix itself for IPS MC v2.1 running on the Windows operating system. * CSCOids2.1.0-sol-CSCsc336961.tar - this file contains the fix itself for IPS MC v2.1 running on the Solaris operating system. * CSCsc33696-README.txt - this file contains instructions on how to apply the software fix to an affected IPS MC v2.1 installation (either Windows or Solaris) and any needed pre and post installation tasks to be carried out by the user. Obtaining Fixed Software ======================== Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third-party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for assistance with the upgrade, which should be free of charge. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac () cisco com Please have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Please do not contact either "psirt () cisco com" or "security-alert () cisco com" for software upgrades. See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Workarounds =========== There are no recommended workarounds for this vulnerability. Please see the Obtaining Fixed Software section for appropriate solutions to resolve this vulnerability. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by a customer. Status of This Notice: FINAL ============================ THIS ADVISORY IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE ADVISORY OR MATERIALS LINKED FROM THE ADVISORY IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS NOTICE AT ANY TIME. A stand-alone copy or paraphrase of the text of this security advisory that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20051101-ipsmc.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce () cisco com * first-teams () first org (includes CERT/CC) * bugtraq () securityfocus com * vulnwatch () vulnwatch org * cisco () spot colorado edu * cisco-nsp () puck nether net * full-disclosure () lists grok org uk * comp.dcom.sys.cisco () newsgate cisco com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +----------------------------------------------------------+ | | | | | Revision 1.0 | 2005-November-1 | Initial public release | | | | | +----------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. - ----------------------------------------------------------------------- All contents are Copyright 1992-2005 Cisco Systems, Inc. All rights reserved. - ----------------------------------------------------------------------- Updated: Nov 01, 2005 Document ID: 68065 - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDZ+KGezGozzK2tZARAkDVAKDOXsdNfnhpR6CpADZVG/H/1yr6iQCguiYn CdFv8GhqlFcXy38ur6sSN7I= =Xc7B -----END PGP SIGNATURE----- ------------------------------ Message: 13 Date: Wed, 2 Nov 2005 00:06:18 +0100 From: <ad () class101 org> Subject: RE: [Full-disclosure] new IE bug (confirmed on ALL windows) To: "'Greg'" <full-disclosure () pchandyman com au> Cc: full-disclosure () lists grok org uk Message-ID: <000301c5df38$df7ad960$0400a8c0@winxp64> Content-Type: text/plain; charset="iso-8859-1" Rofl... there is always someone to play with words... -----Message d'origine----- De : full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] De la part de Greg Envoyé : mardi 1 novembre 2005 21:32 À : full-disclosure () lists grok org uk Objet : Re: [Full-disclosure] new IE bug (confirmed on ALL windows) ----- Original Message ----- From: <ad () class101 org> To: <full-disclosure () lists grok org uk> Sent: Wednesday, November 02, 2005 4:00 AM Subject: [Full-disclosure] new IE bug (confirmed on ALL windows)
I think I have found by chance this weekend a security bug,while browsing the website news, within iexplorer on all windows versions.
Sorry to be the "Negative Nark" here but yes, the crash works on IESP2 with XPSP2 but NO it does NOT crash WIN98SE with IESP2. The 98SE box was networked through ICS (wired to this XP box then wi-fi to a router) and has no firewall of it's own. This XP box through which the 98SE box gets it's internet is in the router's DMZ and uses only Zone Alarm Pro, just for clarity. So, in essence the "confirmed on all windows" is wrong. Greg. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ------------------------------ Message: 14 Date: Tue, 1 Nov 2005 18:16:09 -0500 From: MR BABS <mrbabs () gmail com> Subject: [Full-disclosure] New Online RainbowCrack Engine To: full-disclosure () lists grok org uk Message-ID: <7351b7a60511011516h45f53400xde9d126e7ecdbcc5 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Hey guys, Just finished everything up on RainbowCrack-Online, wasn't sure if anyone would be interested, there's a membership fee, as servers, generation and cracking machines are expensive, you guys know the score. Really nice collection of tables, you can take a look-see at www.rainbowcrack-online.com <http://www.rainbowcrack-online.com/>. Current sets include: LanManager-All (all printable chars) 1-14 (the tables are 1-7, but view the specs on LM hashing for more info) NTLM MixAlpha Numeric 1-7 NTLM LowerAlpha Numeric 1-8 MD5 Alpha Numeric Symbol32 Space 1-7 MD5 LowerAlpha Numeric Symbol32 Space 1-7 MD5 LowerAlpha Numeric 1-8 MD5 MixAlpha Numeric 1-7 SHA1 MixAlpha Numeric 1-7 MySQL 323 MixAlpha Numeric 1-7 CiscoPIX MixAlpha Numeric 1-7 We're almost done generation of MD4, and MySQL SHA1 tables. Should have some articles in Information soon, basically information on what to do to leverage knowing hashes. (And how to get the hashes in the first place.) For you pen tester fellows, we will be offering the tables for sale to you guys, as well as registered businesses, prices should be up later. -Regards, Travis </spam> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051101/a4bc4ba0/attachment-0001.html ------------------------------ Message: 15 Date: Tue, 01 Nov 2005 16:20:24 -0700 From: Mandriva Security Team <security () mandriva com> Subject: [Full-disclosure] MDKSA-2005:202 - Updated squirrelmail packages fix vulnerability To: full-disclosure () lists grok org uk Message-ID: <E1EX5QW-00032F-MT () mercury mandriva com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2005:202 http://www.mandriva.com/security/ _______________________________________________________________________ Package : squirrelmail Date : November 1, 2005 Affected: Corporate 3.0 _______________________________________________________________________ Problem Description: A vulnerability in the way that SquirrelMail handled the $_POST variables was discovered. If a user was tricked into visiting a malicious URL, the user's SquirrelMail preferences could be read or modified. This vulnerability is corrected in SquirrelMail 1.4.5 and the updated packages provide the latest stable version. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2095 _______________________________________________________________________ Updated Packages: Corporate 3.0: 81cf3711a3faf9a95c69a8ece4962801 corporate/3.0/RPMS/squirrelmail-1.4.5-1.1.C30mdk.noarch.rpm 20eb541402352ed58b6d9e0ffd051168 corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.1.C30mdk.noarch.rpm c03a4c37539bd9e5aee916946c196366 corporate/3.0/SRPMS/squirrelmail-1.4.5-1.1.C30mdk.src.rpm Corporate 3.0/X86_64: 81cf3711a3faf9a95c69a8ece4962801 x86_64/corporate/3.0/RPMS/squirrelmail-1.4.5-1.1.C30mdk.noarch.rpm 20eb541402352ed58b6d9e0ffd051168 x86_64/corporate/3.0/RPMS/squirrelmail-poutils-1.4.5-1.1.C30mdk.noarch.rpm c03a4c37539bd9e5aee916946c196366 x86_64/corporate/3.0/SRPMS/squirrelmail-1.4.5-1.1.C30mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDZ/g4mqjQ0CJFipgRAng8AJ9Td4JffO2QkmAn6ezcgnc9WiVZ4wCg3j+x hCmXWaPsbKoPp8dPD45Aujw= =ST/9 -----END PGP SIGNATURE----- ------------------------------ Message: 16 Date: Tue, 01 Nov 2005 16:21:48 -0700 From: Mandriva Security Team <security () mandriva com> Subject: [Full-disclosure] MDKSA-2005:203 - Updated gda2.0 packages fix string format vulnerability To: full-disclosure () lists grok org uk Message-ID: <E1EX5Rs-00036z-Hk () mercury mandriva com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2005:203 http://www.mandriva.com/security/ _______________________________________________________________________ Package : gda2.0 Date : November 1, 2005 Affected: 10.2, 2006.0, Corporate 3.0 _______________________________________________________________________ Problem Description: Steve Kemp discovered two format string vulnerabilities in libgda2, the GNOME Data Access library for GNOME2, which may lead to the execution of arbitrary code in programs that use this library. The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2958 _______________________________________________________________________ Updated Packages: Corporate 3.0: c2bee0812a3911016f32406c7e6b98c6 corporate/3.0/RPMS/gda2.0-1.0.3-3.2.C30mdk.i586.rpm 1c60c3861756e5f2ebec25810d698319 corporate/3.0/RPMS/gda2.0-ldap-1.0.3-3.2.C30mdk.i586.rpm 76329346f822881c283f1d80eccf0321 corporate/3.0/RPMS/gda2.0-mysql-1.0.3-3.2.C30mdk.i586.rpm 9366a1dfd24862ba1c2e785c880f42b1 corporate/3.0/RPMS/gda2.0-odbc-1.0.3-3.2.C30mdk.i586.rpm d2eaf777cbc85fa050ea15d9483e8530 corporate/3.0/RPMS/gda2.0-postgres-1.0.3-3.2.C30mdk.i586.rpm efb6dcf8757552aca5a2afad5e214afa corporate/3.0/RPMS/gda2.0-sqlite-1.0.3-3.2.C30mdk.i586.rpm d19b0dc56ecc6645735e5ba4df226ea5 corporate/3.0/RPMS/libgda2.0_1-1.0.3-3.2.C30mdk.i586.rpm 04904635f832181f5f4bc13defbd2404 corporate/3.0/RPMS/libgda2.0_1-devel-1.0.3-3.2.C30mdk.i586.rpm 4ded9fd88d06c155f3fadd5438855b49 corporate/3.0/SRPMS/gda2.0-1.0.3-3.2.C30mdk.src.rpm Corporate 3.0/X86_64: 6db35535deba7751a627682f1ba77ace x86_64/corporate/3.0/RPMS/gda2.0-1.0.3-3.2.C30mdk.x86_64.rpm f3cc7763718da0f76c3c1e9131e1b9f5 x86_64/corporate/3.0/RPMS/gda2.0-ldap-1.0.3-3.2.C30mdk.x86_64.rpm 7f01b17e60477e916f6a390b4e4b7222 x86_64/corporate/3.0/RPMS/gda2.0-mysql-1.0.3-3.2.C30mdk.x86_64.rpm 3c93f0b8fe2f90ad54c505a813a3ea4f x86_64/corporate/3.0/RPMS/gda2.0-odbc-1.0.3-3.2.C30mdk.x86_64.rpm 527ff7ccbd2af3ea24ac3f572b050de3 x86_64/corporate/3.0/RPMS/gda2.0-postgres-1.0.3-3.2.C30mdk.x86_64.rpm cc2aead64a14a2fa99c34a572024adbe x86_64/corporate/3.0/RPMS/gda2.0-sqlite-1.0.3-3.2.C30mdk.x86_64.rpm 0eb6f8c613088bbcbb0205eec0e7374d x86_64/corporate/3.0/RPMS/lib64gda2.0_1-1.0.3-3.2.C30mdk.x86_64.rpm c4c5b62e45e95c0142fc823e2db49b4c x86_64/corporate/3.0/RPMS/lib64gda2.0_1-devel-1.0.3-3.2.C30mdk.x86_64.rpm 4ded9fd88d06c155f3fadd5438855b49 x86_64/corporate/3.0/SRPMS/gda2.0-1.0.3-3.2.C30mdk.src.rpm Mandriva Linux 10.2: 8581951dac7e2e51d0e583355f0c4fdf 10.2/RPMS/gda2.0-1.2.1-1.2.102mdk.i586.rpm 6df29b76c68f2dac41511f0047844a6c 10.2/RPMS/gda2.0-bdb-1.2.1-1.2.102mdk.i586.rpm ab2a54b37f5d3a5903c13b5caf0884f1 10.2/RPMS/gda2.0-ldap-1.2.1-1.2.102mdk.i586.rpm a46e61c38f33d3590255b349371e5dd2 10.2/RPMS/gda2.0-mysql-1.2.1-1.2.102mdk.i586.rpm 5f82b737ad1df0f5e367554a6af57d25 10.2/RPMS/gda2.0-odbc-1.2.1-1.2.102mdk.i586.rpm 9c15f2853a50a9b8ce21c99b7c357d69 10.2/RPMS/gda2.0-postgres-1.2.1-1.2.102mdk.i586.rpm 2a99984e0d3f0ed0bb77e1df0781a745 10.2/RPMS/gda2.0-sqlite-1.2.1-1.2.102mdk.i586.rpm ac79f03faefae3d12b25a692d84aa09c 10.2/RPMS/gda2.0-xbase-1.2.1-1.2.102mdk.i586.rpm c246c62a8b6a44bdf517fc13ab5a9629 10.2/RPMS/libgda2.0_3-1.2.1-1.2.102mdk.i586.rpm 33244d3790d14e77cf83e297d105a0e5 10.2/RPMS/libgda2.0_3-devel-1.2.1-1.2.102mdk.i586.rpm 2ae1d69e77d265b6a45701dede9187b6 10.2/SRPMS/gda2.0-1.2.1-1.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: a22c56a701d4b323cd58199bd330d358 x86_64/10.2/RPMS/gda2.0-1.2.1-1.2.102mdk.x86_64.rpm ab86e362890a87d588c6180df048d380 x86_64/10.2/RPMS/gda2.0-bdb-1.2.1-1.2.102mdk.x86_64.rpm e68a0231c0ed2d16c71330ab2ec0bc02 x86_64/10.2/RPMS/gda2.0-ldap-1.2.1-1.2.102mdk.x86_64.rpm 561b6118c3f60507bd1d39a61ae1d1ef x86_64/10.2/RPMS/gda2.0-mysql-1.2.1-1.2.102mdk.x86_64.rpm 9c09bdaed784668cf9326aaa25fe045e x86_64/10.2/RPMS/gda2.0-odbc-1.2.1-1.2.102mdk.x86_64.rpm 9c05d405913600ab83af41a5c43012f1 x86_64/10.2/RPMS/gda2.0-postgres-1.2.1-1.2.102mdk.x86_64.rpm 678405e55c25c6be5fd1bc7282918dab x86_64/10.2/RPMS/gda2.0-sqlite-1.2.1-1.2.102mdk.x86_64.rpm dd2b4c22b66bfdd9e7d079fceb8052bc x86_64/10.2/RPMS/gda2.0-xbase-1.2.1-1.2.102mdk.x86_64.rpm 3ad48b3adeb00a9f9a3ea7a1c987b735 x86_64/10.2/RPMS/lib64gda2.0_3-1.2.1-1.2.102mdk.x86_64.rpm e4d9fb39922d57f56902b721b80d7c9f x86_64/10.2/RPMS/lib64gda2.0_3-devel-1.2.1-1.2.102mdk.x86_64.rpm 2ae1d69e77d265b6a45701dede9187b6 x86_64/10.2/SRPMS/gda2.0-1.2.1-1.2.102mdk.src.rpm Mandriva Linux 2006.0: 291823a3cf2fbd1321fafd6d465b9fbc 2006.0/RPMS/gda2.0-1.2.2-2.2.20060mdk.i586.rpm f8c350c51a5847e02e391507f1052867 2006.0/RPMS/gda2.0-bdb-1.2.2-2.2.20060mdk.i586.rpm dd0126df1e10c2f127ebecc5e0a1c26c 2006.0/RPMS/gda2.0-ldap-1.2.2-2.2.20060mdk.i586.rpm 47e6a607eaa3738b4d07adb619232eb1 2006.0/RPMS/gda2.0-mysql-1.2.2-2.2.20060mdk.i586.rpm 4d1f9d08c55ed0a195ca001996f239e3 2006.0/RPMS/gda2.0-odbc-1.2.2-2.2.20060mdk.i586.rpm e9dc80d837f6932969c3601f03707c59 2006.0/RPMS/gda2.0-postgres-1.2.2-2.2.20060mdk.i586.rpm 0ec62e103852325ee70769fe2eadb6c4 2006.0/RPMS/gda2.0-sqlite-1.2.2-2.2.20060mdk.i586.rpm a5d3d090e83d080ebf6a1c210aa113f1 2006.0/RPMS/gda2.0-xbase-1.2.2-2.2.20060mdk.i586.rpm a4a8ae72f7cd866183c2e8a4a2e16bd3 2006.0/RPMS/libgda2.0_3-1.2.2-2.2.20060mdk.i586.rpm 2b4c20ea0a38bf22c5aa31da3cd8884f 2006.0/RPMS/libgda2.0_3-devel-1.2.2-2.2.20060mdk.i586.rpm 16c1de82d2b1996adeb4577b1ff9cdcd 2006.0/SRPMS/gda2.0-1.2.2-2.2.20060mdk.src.rpm Mandriva Linux 2006.0/X86_64: 36a04443e670524ae0c4d93bf0752e9f x86_64/2006.0/RPMS/gda2.0-1.2.2-2.2.20060mdk.x86_64.rpm d2fecb3c702f5c764c6a67c85e36e448 x86_64/2006.0/RPMS/gda2.0-bdb-1.2.2-2.2.20060mdk.x86_64.rpm 44171de894c358c5bd3d4301b488170e x86_64/2006.0/RPMS/gda2.0-ldap-1.2.2-2.2.20060mdk.x86_64.rpm 863aacd7318479757dc2d2e1ed238418 x86_64/2006.0/RPMS/gda2.0-mysql-1.2.2-2.2.20060mdk.x86_64.rpm a82c2fceef36372b1fc17086b6237293 x86_64/2006.0/RPMS/gda2.0-odbc-1.2.2-2.2.20060mdk.x86_64.rpm 067f1f9a633b3e2dbe8ca08591d48642 x86_64/2006.0/RPMS/gda2.0-postgres-1.2.2-2.2.20060mdk.x86_64.rpm 4b257c7716b6eefcfb0fec95732975a0 x86_64/2006.0/RPMS/gda2.0-sqlite-1.2.2-2.2.20060mdk.x86_64.rpm 9fef9fad9b8d98708c30c87b4bfdbece x86_64/2006.0/RPMS/gda2.0-xbase-1.2.2-2.2.20060mdk.x86_64.rpm 84787803035a7d1ee2bb7b12775ea9f0 x86_64/2006.0/RPMS/lib64gda2.0_3-1.2.2-2.2.20060mdk.x86_64.rpm 3037e49d4a6f17e6b752fcff37f05986 x86_64/2006.0/RPMS/lib64gda2.0_3-devel-1.2.2-2.2.20060mdk.x86_64.rpm 16c1de82d2b1996adeb4577b1ff9cdcd x86_64/2006.0/SRPMS/gda2.0-1.2.2-2.2.20060mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDZ/iMmqjQ0CJFipgRAsECAJ9a/c0Go4Yy9/+4hY/DWo72IrpRSgCgnX3g zDqRFrxHNRzw/J1onPK4fc0= =NhHM -----END PGP SIGNATURE----- ------------------------------ Message: 17 Date: Tue, 01 Nov 2005 16:23:10 -0700 From: Mandriva Security Team <security () mandriva com> Subject: [Full-disclosure] MDKSA-2005:204 - Updated wget packages fix vulnerability To: full-disclosure () lists grok org uk Message-ID: <E1EX5TC-0003Bg-GO () mercury mandriva com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2005:204 http://www.mandriva.com/security/ _______________________________________________________________________ Package : wget Date : November 1, 2005 Affected: 10.1, 10.2, Corporate 3.0, Multi Network Firewall 2.0 _______________________________________________________________________ Problem Description: Hugo Vazquez Carames discovered a race condition when writing output files in wget. After wget determined the output file name, but before the file was actually opened, a local attacker with write permissions to the download directory could create a symbolic link with the name of the output file. This could be exploited to overwrite arbitrary files with the permissions of the user invoking wget. The time window of opportunity for the attacker is determined solely by the delay of the first received data packet. The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2014 _______________________________________________________________________ Updated Packages: Mandriva Linux 10.1: 28b67f788c7ed5f28ca7e752b15a9eb8 10.1/RPMS/wget-1.9.1-4.3.101mdk.i586.rpm b0b856e5eeb63f608476877942f6a216 10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm Mandriva Linux 10.1/X86_64: d2fc09595e4bf4267c7cc7d9d5def8ee x86_64/10.1/RPMS/wget-1.9.1-4.3.101mdk.x86_64.rpm b0b856e5eeb63f608476877942f6a216 x86_64/10.1/SRPMS/wget-1.9.1-4.3.101mdk.src.rpm Corporate 3.0: 91f8d363d41afb43943f3f5569e2e83c corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.i586.rpm 8ce78a19c89331fdb7527e6a4674376c corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm Corporate 3.0/X86_64: e3796c54a067d9ef54d08f779fe3ec9d x86_64/corporate/3.0/RPMS/wget-1.9.1-4.3.C30mdk.x86_64.rpm 8ce78a19c89331fdb7527e6a4674376c x86_64/corporate/3.0/SRPMS/wget-1.9.1-4.3.C30mdk.src.rpm Multi Network Firewall 2.0: f834aa6b814014c20b6d97fd7a893ea6 mnf/2.0/RPMS/wget-1.9.1-4.3.M20mdk.i586.rpm 00f1b8920df39e3f4fc35eea07879168 mnf/2.0/SRPMS/wget-1.9.1-4.3.M20mdk.src.rpm Mandriva Linux 10.2: 36dfb01a50fcdec20d379001f2054ba4 10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm 82584cb410bcb5104f44d3429675e7e5 10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm Mandriva Linux 10.2/X86_64: 36dfb01a50fcdec20d379001f2054ba4 x86_64/10.2/RPMS/wget-1.9.1-5.2.102mdk.i586.rpm 82584cb410bcb5104f44d3429675e7e5 x86_64/10.2/SRPMS/wget-1.9.1-5.2.102mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDZ/jemqjQ0CJFipgRAjGJAKDtkgHO1ZWuWus4X5CPffEGbA0FxgCcDaXT yJo8rb9mFDl/0yBiIKUdigo= =y4/v -----END PGP SIGNATURE----- ------------------------------ Message: 18 Date: Tue, 1 Nov 2005 18:05:07 -0600 From: str0ke <str0ke () milw0rm com> Subject: Re: [Full-disclosure] New Online RainbowCrack Engine To: MR BABS <mrbabs () gmail com> Cc: full-disclosure () lists grok org uk Message-ID: <814b9d50511011605u41cda7e3i46e0c47290eacffe () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Is your webserver a 9-5 service or is it just down for other reasons? /str0ke On 11/1/05, MR BABS <mrbabs () gmail com> wrote:
Hey guys, Just finished everything up on RainbowCrack-Online, wasn't sure if anyone would be interested, there's a membership fee, as servers, generation and cracking machines are expensive, you guys know the score. Really nice collection of tables, you can take a look-see at www.rainbowcrack-online.com. Current sets include: LanManager-All (all printable chars) 1-14 (the tables are 1-7, but view the specs on LM hashing for more info) NTLM MixAlpha Numeric 1-7 NTLM LowerAlpha Numeric 1-8 MD5 Alpha Numeric Symbol32 Space 1-7 MD5 LowerAlpha Numeric Symbol32 Space 1-7 MD5 LowerAlpha Numeric 1-8 MD5 MixAlpha Numeric 1-7 SHA1 MixAlpha Numeric 1-7 MySQL 323 MixAlpha Numeric 1-7 CiscoPIX MixAlpha Numeric 1-7 We're almost done generation of MD4, and MySQL SHA1 tables. Should have some articles in Information soon, basically information on what to do to leverage knowing hashes. (And how to get the hashes in the first place.) For you pen tester fellows, we will be offering the tables for sale to you guys, as well as registered businesses, prices should be up later. -Regards, Travis </spam> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
------------------------------ Message: 19 Date: Wed, 2 Nov 2005 00:29:26 -0500 (EST) From: "Steven M. Christey" <coley () mitre org> Subject: [Full-disclosure] On Interpretation Conflict Vulnerabilities To: bugtraq () securityfocus com, full-disclosure () lists grok org uk Message-ID: <200511020529.jA25TQJd018891 () linus mitre org> In a post "SEC-CONSULT-SA-20051021-0: Yahoo/MSIE XSS", Bernhard Mueller said:
SEC-Consult believes that input-validation thru blacklists can just be a temporary solution to problems like this. From our point of view there are many other applications vulnerable to this special type of problem where vulnerabilities of clients and servers can be combined. ... Excerpt from HTML-mails: ======================================================================== SCRIPT-TAG: --cut here--- <h1>hello</h1><s[META-Char]cript>alert("i have you now")</s[META-Char]cript></br>rrrrrrxxxxx<br> ---cut here--- ... Recommended hotfixes for webmail-users --------------- Do not use MS Internet-Explorer.
This falls under a class of vulnerabilities that I refer to as either "interpretation conflicts" or "multiple interpretation errors" depending on what time it is, though I'm leaning toward interpretation conflicts. These types of problems frequently occur with products that serve as intermediaries, proxies, or monitors between other entities - such as antivirus products, web proxies, sniffers, IDSes, etc. They are a special type of interaction error in which one product (in this case, Yahoo email) performs reasonable actions but does not properly model all behaviors of another product that it's interacting with (in this case, Internet Explorer ignoring unusual characters right in the middle of HTML tags). The intermediary/proxy/monitor then becomes a conduit for exploitation due to the end product's unexpected behavior. Some examples: - Ptacek/Newsham's famous IDS evasion paper used interpretation conflicts to prevent IDSes from properly reconstructing network traffic as it would be processed by end systems. - Many of the Anti-Virus evasion techniques you see these days involve interpretation conflicts - e.g. the magic byte problem, multiple conent-type headers, and so on - The recent problem with phpBB and others, because they did not account for how Internet Explorer renders HTML in corrupted .GIF images, is another example of an interpretation conflict. - Many unusual XSS manipulations are due to interpretation conflicts in which one web browser supports a non-standard feature that others do not. Netscape had an unusual construct - something like "&{abc}" - that even a whitelist might not catch. In my opinion, the "responsibility" for avoiding interpretation conflicts falls with: - the intermediaries/proxies/monitors if the problem involves an incomplete model of *normal*, reasonable, and/or standards compliant behavior - the end products, if the end product behavior does not conform with established standards - the standards or protocols, if they are defined in ways that are too vague or flexible However, if the end products already exhibit unexpected behaviors, the reality is that intermediaries are forced into anticipating all possible interpretation conflicts, and blamed if they do not. Mueller also said:
Do not use blacklists on tags and attributes. Whitelist special/meta-characters.
Whitelists, while better than blacklists, can still be too permissive. This is especially the case with interpretation conflicts. As I've suggested previously, Jon Postel's wisdom "Be liberal in what you accept, and conservative in what you send" has been a boon to the growth of networking, but blind adherence to this wisdom is a dangerous enabler of subtle vulnerabilities that will prevent us from ever having full control over the data that crosses our networks. - Steve ------------------------------ Message: 20 Date: Wed, 2 Nov 2005 13:40:59 +0800 From: "Native.Code" <native.code () gmail com> Subject: Re: [Full-disclosure] how to describe this tool ? To: news-letters <news-letters () bluewin ch> Cc: full-disclosure () lists grok org uk Message-ID: <8dc64e550511012140j1ca7caf3q30906c526e0e48c3 () mail gmail com> Content-Type: text/plain; charset="iso-8859-1" Depends the use you put it on. I will call it auditing tool. On 11/2/05, news-letters <news-letters () bluewin ch> wrote:
Hi list, I have a perl script I'd like to release(GPL), but I don't really know how to describe it. To make it short here's a session on one (remote)machine.(but it's intended to be run on ip ranges with mostly windows hosts). <sample> Starting script.pl ... searching hosts in 192.168.0.100 <http://192.168.0.100> ... found 192.168.0.100 <http://192.168.0.100> : BRAIN starting information gathering on BRAIN getting OS version ... TCP port scanning ... UDP port scanning ... Getting process list ... Getting services list ... Getting drive list ... Getting share list ... Getting installed applications list ... Creating naudit_report_192.168.0.100.html ... (printable) Creating report for 192.168.0.100 <http://192.168.0.100> ... (browsable) done. Completed in 8.004 seconds </sample> and attached is a sample (printable)report. Is this an : enumeration tool ? auditting tool ? Any idea ? Have a nice day. Simon _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051102/9a4fc467/attachment.html ------------------------------ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ End of Full-Disclosure Digest, Vol 9, Issue 3 ********************************************* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: Full-disclosure Digest, Vol 9, Issue 3 Martinez, Tino (Tempe) (Nov 02)
- Re: RE: Full-disclosure Digest, Vol 9, Issue 3 Nick FitzGerald (Nov 02)
- Re: RE: Full-disclosure Digest, Vol 9, Issue 3 Robert Kim Wireless Internet Advisor (Nov 05)
- Re: RE: Full-disclosure Digest, Vol 9, Issue 3 Brian Dessent (Nov 05)
- Re: RE: Full-disclosure Digest, Vol 9, Issue 3 Ron DuFresne (Nov 06)
- Re: RE: Full-disclosure Digest, Vol 9, Issue 3 Joachim Schipper (Nov 07)
- Re: RE: Full-disclosure Digest, Vol 9, Issue 3 James Eaton-Lee (Nov 09)
- Re: RE: Full-disclosure Digest, Vol 9, Issue 3 Robert Kim Wireless Internet Advisor (Nov 05)
- RE: RE: Full-disclosure Digest, Vol 9, Issue 3 Aditya Deshmukh (Nov 05)
- Re: RE: Full-disclosure Digest, Vol 9, Issue 3 Nick FitzGerald (Nov 02)